Discussion in 'other anti-malware software' started by Mr.X, Feb 16, 2017.
Shut that thing off next time
That "thing" is solid protection as proven, but yes for testing has to be shut off.
I tested it with all protections enabled, including AppGuard.
It might be a "specific issue" in your case.
But i don't want to speculate, after the response from the developer we'll know more.
Keep us informed
He responded and couldn't duplicate it either. I may ask if you can take a look with me later.
Curious, but do you peeps who run and see positive results for yourself comfortable enough with the TRAY ICON color change feature for ALERTING?
I been testing and am totally sold on it's protection AND at least on Windows 8.1 complete compatibility along with working well with a series of other security apps in place.
I don't want to beat a dead horse here but like I said curious. But would anyone else like to see a toast/pop up feature to accent it visually or at the very least some added Audio Feature (similar to ERP) where on a CONFIRMED and LOGGED BLOCK MZWriteScanner might also issue a sound alert?
Just wondering if that would be a bit much to expect.
Yes I know, AS-IS the driver does the duty as expected with triggering the Tray Icon color, but Adding an active screen element might be too much to expect?
Or is it unreasonable?
Perhaps something like a balloon message?
In addition the path of the blocked file can be displayed in it...
Tray.exe is based on AutoIt, so it shouldn't be hard for them to implement it
Not a bad idea. Sometime it's a while before I notice the color change. Good thing is whatever alerted can't execute. The downside is you be get a few more alerts and it could be annoying
I honestly took that little issue to mind before posting the opinion/suggestion.
True the block n logging wasn't stopped from the intended purpose due to that but because it happened at all, that gives some cause for interest (at least on this end) to just what might be a useful addition to strengthen the program's limited but potentially more useful aesthetics.
I agree it's a more obvious alert. But I have a hunch it could prove to annoying. I'd want to turn off everything but the way it is.
I think that it would be great as well to have an option to show operating system Toast/balloon popups and should be very easy for the developer to add this if someone suggests this to him. The Tray.exe binaries from all of his Excubits drivers likely follow the same codebase as his BouncerTray.exe tool from Bouncer. Bouncer has Toasts by default and therefore should easily be ported over the the other drivers' tray tools. There may even be a command line switch to enable it but I am not aware of all of the switches available. For Bouncer, personally, I disable the Toasts with "BouncerTray.exe nopopups" because I prefer to keep it as simple as possible. But I think that it would be good to have a choice so that users can enable those toast notifications if they would like them.
If someone has time to email Florian to suggest these OS toast notifications, maybe also ask if there is already a built in command line switch as well.
I thinks there will be such functions very soon.
Fingers crossed LoL
Hi Easter. I don't think this what you are hoping for. It's only about alerts, etc, that you get from the tray applications. You still need to install the drivers manually(not hard), and still need to do the ini files manually) paying attention to the rules involved. Things that are critical are no spaces, unicode format, and a line space at the end of the file. None of it difficult once you get used to it.
Is it worth it. Yep, I don't know of anything that really replace mzwritescanner's functionally save one or two of Excubits other drivers.
A question: Does MZWriteScanner do anything that NVT Process Logger Service doesn't do? @mood ?
What MZWritescanner does is 2 things. One you get a visible alert by the icon turning read. The 2nd thing is until you clear the log file, execution is blocked. That's the key.
Thanks for explaining. Sounds like I should give it a spin.
Note it detects exe,dll,sys,tmp's and bat files. Basically all executable types. Also it doesn't matter where they are dropped on your system. Since I have 3 internal drives, it detects drops and any of the drives.
Clearly I am doing something wrong. It is not installing properly?
I right-click installed the .inf file but if I try and start MZWriteScanner I get: 'System Error 2 has occurred. The system cannot find the file specified.'
Seems like some sort of access denied issue? I have AG and VS set to allow install.
The tray icon is grey, and it cannot find the config.ini file.
However if I sc delete MZWriteScanner, I get DeleteService SUCCESS.
did you put the .ini file in c:\windows ? I think you will get that error if it isn't there. You have to manually copy it in.
Ha! That did it, thanks Pete . Must have missed that in the readme. RTFM .
I remember doing that for FIDES, but did not click to do it now.
Edit: Will run it in (non-lethal) LOGGING mode and see what it does.
Go thru a couple of reboot cycles. Also be aware, the format is slightly different. If you'd like I can PM you my ini file. Basically you will get lilke a parent followed by the caret, then will come the blocked program followed by another caret which is followed by the sha256 stuff. You want what is between the carets.
also the log file will have the info but it puts spaces in there. You have to take out the spaces.
I will do a couple of reboots tomorrow.
If you could PM me your ini file, that will surely help.
My system is not static; I do a lot of installs / updates so it may not be practical for me, but willing to give it a go.
Your system can't change any more then mine. what i do is turn off MZ install new software, then turn it back on and watch what the log files show.
Oh, and you must turn it off to do an uninstall or it will block it. Pain, but excellent protection.
I wouldn't compare both applications, they are doing different things.
MZWriteScanner is monitoring all dropped files which has a PE-header (.exe,.dll,.sys, ...) and if one file has been dropped to a "non-whitelisted location" (by default all locations which are not mentioned in the whitelist are automatically blacklisted), MZWriteScanner "remembers" the hash of the dropped file and even if malware is able to copy it from the blacklisted location to Program Files or to a whitelisted location, the file is still blocked.
= Once detected, it has no chance to be executed.
But beware, after a restart of the service or after a reboot, the previously dropped file will be able to be executed!
Process Logger Service is only logging all Process Executions, it is not blocking anything.
Thanks @mood and @Peter2150 for the ini also. Will start playing with this.
Will post here if I have questions
Separate names with a comma.